Prevent SQL injection by using parametrized queries
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[
^]
Also careful with
SQL Server Reserved Keywords[
^], Use Square brackets[] for the field names & table names.
And your code is wrong, try this.
const string insertsql = "INSERT INTO Items(Description,ItemNo,Qty)VALUES";
sb.AppendFormat("{0}",insertsql);
foreach (string item in sc)
{
if (item.Contains(","))
{
splitItems = item.Split(",".ToCharArray());
sb.AppendFormat("'{0}','{1}','{2}');",splitItems[0], splitItems[1], splitItems[2]);
}
}
But use parametrized queries